[PATCH 0/2] Fixes for Tegra audio

[PATCH 0/2] Fixes for Tegra audio

[Sameer Pujar]

This is a small series which fixes two bugs which were discovered
on NVIDIA Jetson AGX Orin platform.

The first patch in the series fixes a KASAN UAF bug discovered
during suspend/resume testing. This is a core DAPM fix.

The second patch fixes CBB error and this is Tegra in AHUB driver.
This error happens when Tegra audio drivers were built as part of
kernel image.

Mohan Kumar (1):
  ASoC: tegra: Fix CBB error during probe()

robelin (1):
  ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

 sound/soc/soc-dapm.c            |  1 +
 sound/soc/tegra/tegra210_ahub.c | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

-- 
2.17.1

[PATCH 1/2] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

[Sameer Pujar]

From: robelin <robelin@nvidia.com>

When using kernel with the following extra config,

  - CONFIG_KASAN=y
  - CONFIG_KASAN_GENERIC=y
  - CONFIG_KASAN_INLINE=y
  - CONFIG_KASAN_VMALLOC=y
  - CONFIG_FRAME_WARN=4096

kernel detects that snd_pcm_suspend_all() access a freed
'snd_soc_pcm_runtime' object when the system is suspended, which
leads to a use-after-free bug:

[   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
[   52.047771]
[   52.047776] CPU: 7 PID: 2330 Comm: systemd-sleep Tainted: G           O      5.15.148-tegra #9
[   52.047781] Hardware name: NVIDIA NVIDIA Jetson AGX Orin Developer Kit/Jetson, BIOS 36.4.0-gcid-36705213 07/01/2024
[   52.047785] Call trace:
[   52.047787]  dump_backtrace+0x0/0x3c0
[   52.047794]  show_stack+0x34/0x50
[   52.047797]  dump_stack_lvl+0x68/0x8c
[   52.047802]  print_address_description.constprop.0+0x74/0x2c0
[   52.047809]  kasan_report+0x210/0x230
[   52.047815]  __asan_report_load1_noabort+0x3c/0x50
[   52.047820]  snd_pcm_suspend_all+0x1a8/0x270
[   52.047824]  snd_soc_suspend+0x19c/0x4e0
[   52.047831]  dpm_prepare+0x1c0/0xb90
[   52.047838]  dpm_suspend_start+0x30/0xe0
[   52.047842]  suspend_devices_and_enter+0x220/0xfd0
[   52.047849]  pm_suspend+0x464/0x560
[   52.047853]  state_store+0xac/0x180
[   52.047856]  kobj_attr_store+0x3c/0x90
[   52.047861]  sysfs_kf_write+0x10c/0x180
[   52.047868]  kernfs_fop_write_iter+0x280/0x3e0
[   52.047873]  new_sync_write+0x2cc/0x4c0
[   52.047877]  vfs_write+0x514/0x760
[   52.047880]  ksys_write+0x100/0x1f0
[   52.047883]  __arm64_sys_write+0x78/0xc0
[   52.047887]  invoke_syscall+0x7c/0x280
[   52.047892]  el0_svc_common.constprop.0+0xcc/0x270
[   52.047897]  do_el0_svc+0xb0/0x100
[   52.047901]  el0_svc+0x3c/0x90
[   52.047905]  el0t_64_sync_handler+0xac/0x130
[   52.047908]  el0t_64_sync+0x1a4/0x1a8

The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
making any access. So we need to always set 'substream->runtime' to NULL
everytime we kfree() it.

Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables")
Signed-off-by: robelin <robelin@nvidia.com>
Signed-off-by: Sameer Pujar <spujar@nvidia.com>
---
 sound/soc/soc-dapm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index d7d6dbb9d9ea..e5900cb65cf6 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4056,6 +4056,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w,
 
 	case SND_SOC_DAPM_POST_PMD:
 		kfree(substream->runtime);
+		substream->runtime = NULL;
 		break;
 
 	default:
-- 
2.17.1

[PATCH 2/2] ASoC: tegra: Fix CBB error during probe()

[Sameer Pujar]

From: Mohan Kumar <mkumard@nvidia.com>

When Tegra audio drivers are built as part of the kernel image,
TIMEOUT_ERR is observed from cbb-fabric. Following is seen on
Jetson AGX Orin during boot:

[    8.012482] **************************************
[    8.017423] CPU:0, Error:cbb-fabric, Errmon:2
[    8.021922]    Error Code            : TIMEOUT_ERR
[    8.025966]    Overflow              : Multiple TIMEOUT_ERR
[    8.030644]
[    8.032175]    Error Code            : TIMEOUT_ERR
[    8.036217]    MASTER_ID             : CCPLEX
[    8.039722]    Address               : 0x290a0a8
[    8.043318]    Cache                 : 0x1 -- Bufferable
[    8.047630]    Protection            : 0x2 -- Unprivileged, Non-Secure, Data Access
[    8.054628]    Access_Type           : Write
[    8.058223]    Access_ID             : 0x0
[    8.058224]    Fabric                : cbb-fabric
[    8.065056]    Slave_Id              : 0x26
[    8.068295]    Burst_length          : 0x0
[    8.071798]    Burst_type            : 0x1
[    8.075127]    Beat_size             : 0x2
[    8.078351]    VQC                   : 0x0
[    8.081146]    GRPSEC                : 0x7e
[    8.084208]    FALCONSEC             : 0x0
[    8.087450]    AXI2APB_2_BLOCK_TMO_STATUS : 0x1
[    8.092118]    AXI2APB_2_BLOCK0_TMO : 0x4
[    8.096255]  **************************************
[    8.101366] ------------[ cut here ]------------
[    8.106130] WARNING: CPU: 0 PID: 124 at drivers/soc/tegra/cbb/tegra234-cbb.c:604 tegra234_cbb_isr+0x134/0x178
[    8.116405] Modules linked in:
[    8.119585] CPU: 0 UID: 0 PID: 124 Comm: kworker/u50:2 Not tainted 6.11.0-rc4-next-20240823-00004-g0ed92c507dab #4
[    8.130260] Hardware name: NVIDIA NVIDIA Jetson AGX Orin Developer Kit/Jetson, BIOS buildbrain-gcid-37325339 08/21/2024
[    8.141384] Workqueue: events_unbound deferred_probe_work_func
[    8.147422] pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    8.154604] pc : tegra234_cbb_isr+0x134/0x178
[    8.159093] lr : tegra234_cbb_isr+0x10c/0x178
[    8.163582] sp : ffff800080003c60
[    8.167000] x29: ffff800080003c60 x28: ffffd89a3d40b988 x27: 0000000000000001
[    8.174362] x26: ffff000006f90000 x25: 0000000000000001 x24: 00000000000000c0
[    8.181725] x23: ffffd89a3c030440 x22: ffffd89a3d6d1c48 x21: 0000000000000021
[    8.189089] x20: ffffd89a3d40b998 x19: 0000000000000000 x18: ffffffffffffffff
[    8.196443] x17: ffff27756663b000 x16: ffff800080000000 x15: ffff8001000036f7
[    8.203800] x14: 0000000000000000 x13: 2a2a2a2a2a2a2a2a x12: 2a2a2a2a2a2a2a2a
[    8.211154] x11: 2a2a2a2a2a2a2a2a x10: ffffd89a3d0a7520 x9 : ffffd89a3a9ebfa4
[    8.218513] x8 : 00000000ffffefff x7 : ffffd89a3d0a7520 x6 : 0000000000000000
[    8.225877] x5 : 80000000fffff000 x4 : 0000000000000fff x3 : 0000000000000000
[    8.233240] x2 : 0000000000000000 x1 : ffff000006f90000 x0 : 0000000100010101
[    8.240602] Call trace:
[    8.243126]  tegra234_cbb_isr+0x134/0x178
[    8.247261]  __handle_irq_event_percpu+0x60/0x238
[    8.252132]  handle_irq_event+0x54/0xb8
[    8.256085]  handle_fasteoi_irq+0xac/0x1e0
[    8.260320]  generic_handle_domain_irq+0x34/0x58
[    8.265075]  gic_handle_irq+0x54/0x120
[    8.268950]  do_interrupt_handler+0x58/0x98
[    8.273267]  el1_interrupt+0x34/0x68
[    8.276974]  el1h_64_irq_handler+0x18/0x28
[    8.281196]  el1h_64_irq+0x64/0x68
[    8.284700]  handle_softirqs+0xa4/0x368
[    8.288665]  __do_softirq+0x1c/0x28
[    8.292263]  ____do_softirq+0x18/0x30
[    8.296034]  call_on_irq_stack+0x24/0x58
[    8.300076]  do_softirq_own_stack+0x24/0x38
[    8.304390]  irq_exit_rcu+0x94/0xd0
[    8.307992]  el1_interrupt+0x38/0x68
[    8.311676]  el1h_64_irq_handler+0x18/0x28
[    8.315902]  el1h_64_irq+0x64/0x68
[    8.319406]  _raw_spin_unlock_irqrestore+0x10/0x58
[    8.324354]  regmap_update_bits_base+0x80/0xa8
[    8.328945]  tegra210_mvc_runtime_resume+0x60/0x80
[    8.333898]  pm_generic_runtime_resume+0x34/0x58
[    8.338665]  __rpm_callback+0x50/0x1b0
[    8.342530]  rpm_callback+0x70/0x88
[    8.346128]  rpm_resume+0x430/0x638
[    8.349722]  __pm_runtime_resume+0x54/0xa0
[    8.353944]  tegra210_mvc_reset_vol_settings+0x48/0x110
[    8.359325]  tegra210_mvc_platform_probe+0xd8/0x140
[    8.364350]  platform_probe+0x70/0xf0
[    8.368130]  really_probe+0xc4/0x2a8
[    8.371814]  __driver_probe_device+0x80/0x140
[    8.376302]  driver_probe_device+0x48/0x170
[    8.380614]  __device_attach_driver+0xc0/0x148
[    8.385189]  bus_for_each_drv+0x88/0xf0
[    8.389154]  __device_attach+0xb0/0x1c0
[    8.393107]  device_initial_probe+0x1c/0x30
[    8.397415]  bus_probe_device+0xb4/0xc0
[    8.401370]  device_add+0x598/0x768
[    8.404967]  of_device_add+0x4c/0x70
[    8.408664]  of_platform_device_create_pdata+0x98/0x130
[    8.414047]  of_platform_bus_create+0x188/0x3a8
[    8.418717]  of_platform_populate+0x60/0x108
[    8.423120]  tegra_ahub_probe+0xe4/0x180
[    8.427162]  platform_probe+0x70/0xf0
[    8.430934]  really_probe+0xc4/0x2a8
[    8.434618]  __driver_probe_device+0x80/0x140
[    8.439108]  driver_probe_device+0x48/0x170
[    8.443418]  __device_attach_driver+0xc0/0x148
[    8.447995]  bus_for_each_drv+0x88/0xf0
[    8.451949]  __device_attach+0xb0/0x1c0
[    8.455901]  device_initial_probe+0x1c/0x30
[    8.460211]  bus_probe_device+0xb4/0xc0
[    8.464163]  device_add+0x598/0x768
[    8.467762]  of_device_add+0x4c/0x70
[    8.471446]  of_platform_device_create_pdata+0x98/0x130
[    8.476827]  of_platform_bus_create+0x188/0x3a8
[    8.481501]  of_platform_populate+0x60/0x108
[    8.485902]  tegra_aconnect_probe+0x9c/0x118
[    8.490322]  platform_probe+0x70/0xf0
[    8.494095]  really_probe+0xc4/0x2a8
[    8.434618]  __driver_probe_device+0x80/0x140
[    8.439108]  driver_probe_device+0x48/0x170
[    8.443418]  __device_attach_driver+0xc0/0x148
[    8.447995]  bus_for_each_drv+0x88/0xf0
[    8.451949]  __device_attach+0xb0/0x1c0
[    8.455901]  device_initial_probe+0x1c/0x30
[    8.460211]  bus_probe_device+0xb4/0xc0
[    8.464163]  device_add+0x598/0x768
[    8.467762]  of_device_add+0x4c/0x70
[    8.471446]  of_platform_device_create_pdata+0x98/0x130
[    8.476827]  of_platform_bus_create+0x188/0x3a8
[    8.481501]  of_platform_populate+0x60/0x108
[    8.485902]  tegra_aconnect_probe+0x9c/0x118
[    8.490322]  platform_probe+0x70/0xf0
[    8.494095]  really_probe+0xc4/0x2a8
[    8.497779]  __driver_probe_device+0x80/0x140
[    8.502263]  driver_probe_device+0x48/0x170
[    8.506571]  __device_attach_driver+0xc0/0x148
[    8.511149]  bus_for_each_drv+0x88/0xf0
[    8.515102]  __device_attach+0xb0/0x1c0
[    8.519055]  device_initial_probe+0x1c/0x30
[    8.523363]  bus_probe_device+0xb4/0xc0
[    8.527316]  deferred_probe_work_func+0x90/0xd0
[    8.531984]  process_one_work+0x15c/0x3c0
[    8.536128]  worker_thread+0x2e0/0x3e8
[    8.539995]  kthread+0x120/0x130
[    8.543328]  ret_from_fork+0x10/0x20
[    8.547018] ---[ end trace 0000000000000000 ]---

These errors happen when MVC device, which is a child of AHUB
device, tries to access its device registers. This happens as
part of call tegra210_mvc_reset_vol_settings() in MVC device
probe().

The root cause of this problem is, the child MVC device gets
probed before the AHUB clock gets enabled. The AHUB clock is
enabled in runtime PM resume of parent AHUB device and due to
the wrong sequence of pm_runtime_enable() in AHUB driver,
runtime PM resume doesn't happen for AHUB device when MVC makes
register access.

Fix this by calling pm_runtime_enable() for parent AHUB device
before of_platform_populate() in AHUB driver. This ensures that
clock becomes available when MVC makes register access.

Fixes: 16e1bcc2caf4 ("ASoC: tegra: Add Tegra210 based AHUB driver")
Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
Signed-off-by: Ritu Chaudhary <rituc@nvidia.com>
Signed-off-by: Sameer Pujar <spujar@nvidia.com>
---
 sound/soc/tegra/tegra210_ahub.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/sound/soc/tegra/tegra210_ahub.c b/sound/soc/tegra/tegra210_ahub.c
index 3f114a2adfce..ab3c6b2544d2 100644
--- a/sound/soc/tegra/tegra210_ahub.c
+++ b/sound/soc/tegra/tegra210_ahub.c
@@ -2,7 +2,7 @@
 //
 // tegra210_ahub.c - Tegra210 AHUB driver
 //
-// Copyright (c) 2020-2022, NVIDIA CORPORATION.  All rights reserved.
+// Copyright (c) 2020-2024, NVIDIA CORPORATION.  All rights reserved.
 
 #include <linux/clk.h>
 #include <linux/device.h>
@@ -1391,11 +1391,13 @@ static int tegra_ahub_probe(struct platform_device *pdev)
 		return err;
 	}
 
+	pm_runtime_enable(&pdev->dev);
+
 	err = of_platform_populate(pdev->dev.of_node, NULL, NULL, &pdev->dev);
-	if (err)
+	if (err) {
+		pm_runtime_disable(&pdev->dev);
 		return err;
-
-	pm_runtime_enable(&pdev->dev);
+	}
 
 	return 0;
 }
-- 
2.17.1

Re: [PATCH 1/2] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 1378 bytes --]

On Fri, Aug 23, 2024 at 02:43:41PM +0000, Sameer Pujar wrote:
> From: robelin <robelin@nvidia.com>
> 
> When using kernel with the following extra config,
> 
>   - CONFIG_KASAN=y
>   - CONFIG_KASAN_GENERIC=y
>   - CONFIG_KASAN_INLINE=y
>   - CONFIG_KASAN_VMALLOC=y
>   - CONFIG_FRAME_WARN=4096
> 
> kernel detects that snd_pcm_suspend_all() access a freed
> 'snd_soc_pcm_runtime' object when the system is suspended, which
> leads to a use-after-free bug:
> 
> [   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
> [   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
> [   52.047771]
> [   52.047776] CPU: 7 PID: 2330 Comm: systemd-sleep Tainted: G           O      5.15.148-tegra #9
> [   52.047781] Hardware name: NVIDIA NVIDIA Jetson AGX Orin Developer Kit/Jetson, BIOS 36.4.0-gcid-36705213 07/01/2024
> [   52.047785] Call trace:
> [   52.047787]  dump_backtrace+0x0/0x3c0
> [   52.047794]  show_stack+0x34/0x50


Please think hard before including complete backtraces in upstream
reports, they are very large and contain almost no useful information
relative to their size so often obscure the relevant content in your
message. If part of the backtrace is usefully illustrative (it often is
for search engines if nothing else) then it's usually better to pull out
the relevant sections.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 0/2] Fixes for Tegra audio

[Mark Brown]

On Fri, 23 Aug 2024 14:43:40 +0000, Sameer Pujar wrote:
> This is a small series which fixes two bugs which were discovered
> on NVIDIA Jetson AGX Orin platform.
> 
> The first patch in the series fixes a KASAN UAF bug discovered
> during suspend/resume testing. This is a core DAPM fix.
> 
> The second patch fixes CBB error and this is Tegra in AHUB driver.
> This error happens when Tegra audio drivers were built as part of
> kernel image.
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/2] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
      commit: b4a90b543d9f62d3ac34ec1ab97fc5334b048565
[2/2] ASoC: tegra: Fix CBB error during probe()
      commit: 6781b962d97bc52715a8db8cc17278cc3c23ebe8

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark